API authentication using security keys, with best practices for merchants and partners.
Authentication across our APIs is done via secure API keys. These keys are assigned to specific users on your account and inherit permissions from those users, ensuring proper access control and security.
- Public Keys: Used for client-side operations and non-sensitive transactions
- Private Keys: Used for server-side operations requiring full access and sensitive data handling
Security Note: Always select the key type that aligns with your specific use case. Using the wrong key type can create security vulnerabilities or limit functionality.
Getting Your API Keys
To generate API keys as a merchant:
- Log into your Merchant Portal
- Navigate to Settings > Security Keys
- Click Add a New Key
- Add a descriptive Key Name for easy identification
- Select the username you want to associate with this key.
- Select the Key Permission type and select Create.
To create API keys as a partner:
- Log into your Partner Portal
- Go to Settings > Security Keys
- Click Add a New Key
- Add a descriptive Key Name for easy identification
- Select the username you want to associate with this key.
- Select the Key Permission type and select Create.
Authentication Methods
Include your API key in the request header:
curl -X GET "https://sandbox.nmi.com/api/v5/endpoint" \
-H "Authorization: YOUR_API_KEY"For Classic APIs, include your API key in the Request Body:
{
"api_key": "YOUR_API_KEY",
"other_data": "value"
}Key Management
Creating Multiple Keys
We recommend generating different API keys for different purposes:
- Development: For testing and development environments
- Production: For live production systems
- Team Members: Individual keys for different developers
- Applications: Separate keys for different applications or services
Rotating API Keys
If a key is compromised or for regular security maintenance:
- Generate New Key: Create a replacement key with the same permissions
- Update Applications: Replace the old key in all applications
- Test Functionality: Verify all systems work with the new key
- Revoke Old Key: Delete the compromised key from your account
- Document Change: Update your security documentation
Key Permissions
API keys inherit permissions from the user account they're associated with. Ensure:
- Users have appropriate role-based access controls
- Keys are assigned to accounts with minimal required permissions
- Permissions are reviewed and updated regularly
- Unused or excessive permissions are removed
Integration Examples
Basic Authentication Request
// Node.js example
const axios = require('axios');
const response = await axios.get('https://sandbox.nmi.com/api/v5/endpoint', {
headers: {
'Authorization': `${process.env.API_KEY}`,
'Content-Type': 'application/json'
}
});Error Handling
Always implement proper error handling for authentication:
try {
const response = await makeAPIRequest();
return response.data;
} catch (error) {
if (error.response?.status === 401) {
throw new Error('Authentication failed. Check your API key.');
} else if (error.response?.status === 403) {
throw new Error('Access forbidden. Insufficient permissions.');
}
throw error;
}Common Issues & Troubleshooting
Causes:
- Invalid or expired API key
- Missing Authorization header
- Incorrect key format
Solutions:
- Verify key is correct and active
- Check header formatting
- Regenerate key if necessary
Causes:
- Insufficient permissions
- Account restrictions
- Rate limit exceeded
Solutions:
- Review key permissions
- Contact support for account issues
- Implement rate limiting
Causes:
- Wrong environment (test vs. live)
- Key type mismatch
- Account configuration issues
Solutions:
- Verify environment settings
- Check public vs. private key usage
- Review account configuration
Actions:
- Immediately rotate compromised keys
- Review access logs
- Update security practices
- Contact support if needed
Prevention:
- Regular security audits
- Secure key storage
- Access monitoring
